The document discusses identity proofing using OpenID Connect. It provides examples of use cases that require identity verification like opening a bank account or accessing health data. It proposes representing verified identity claims in a composite JSON Web Token claim that includes metadata about the verification process and the verified claims. An example token is given that verifies a user's name, date of birth, place of birth and nationality according to a specified assurance level by referencing an existing bank verification. The document also describes how to request specific verified claims from the identity provider.
2. Use Cases
● Opening a banking account (Anti-Money Laundering)
● Applying for a loan (Anti-Money Laundering)
● Signing up for a mobile subscription (Anti-Terrorism)
● Identification for access to health data
● Qualified electronic signature (eIDAS/electronic IDentification, Authentication
and trust Services)
3. Representation
● needed for
○ User Claim Values
○ Confidence Level (per claim or set of claims)
○ Data about the verification process and the respective identity sources (e.g. id document
number)
● supports mixture of verified and unverified claims, e.g. self declared address
and verified name
● can be used with: User Info, ID Token, Access Token Introspection
-> And there needs to be a way to request specific claims to be verified (selective
disclosure)
4. Example
● The RP wants to identity user according to eIDAS assurance level substantial,
wich requires the following data
○ Name, Birth Date and Place of Birth, nationality
● User (Max) utilizes KYC data associated with his Online-Banking Account
● Max Meier’s identity was verified using his ID Card by the Bank (Sparkasse
Musterstadt) according to the German Anti-Money Laundering Law.
● The Bank delegated that verification process to an agency (Deutsche Post).
● RP needs to get an attestation about the whole process for its audit trail.
5. Approach
● Dedicated composite verified person data claim built from
○ Sub element containing all metadata regarding the verification
○ Another sub element containing the actual user claims
● Additional user claims (e.g. for nationality)